question regarding US requirements for journaling public email (possible legislation?)
Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers. I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress? (I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.) I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement. Thanks for your attention and may you have a low incident new year. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me. Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
-----Original Message----- From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com] Sent: Thursday, January 05, 2012 9:57 AM To: 'nanog@nanog.org' Subject: question regarding US requirements for journaling public email (possible legislation?)
Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers.
I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress?
(I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.)
I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement.
Thanks for your attention and may you have a low incident new year. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
If you search for "email archiving" instead of journaling you'll come up with a lot more information. It dates back to court rule changes in 2006. Most of it is hype because of [largely incorrect] articles like this one (just one of the first hits): http://www.itworld.com/security/55954/law-requires-email-archiving It's really something that you would need a lawyer to give you an answer on (I am not a lawyer, this is not legal advice, etc). My [limited] understanding is that if you are required to disclose whether or not you have any electronic document (including email) requested as part of the discovery process. If you do have it, you're required to produce it. Since it being on some hard drive of an employee computer qualifies as having it, many larger companies decided to archive centrally. The rules only require 7 years back (I think), so that's the amount of time it's generally archived for. TL;DR you're not required to archive email, but if you need to know whether or not you have it if asked. Again, my understanding here is pretty limited. If anyone know for certain feel free to chime in. On Thu, Jan 5, 2012 at 12:54 PM, Eric J Esslinger <eesslinger@fpu-tn.com> wrote:
Based on a some I have received off list it seems no-one has ever heard of such a proposal that has had any serious traction so I assume the gentleman was either mistaken, paranoid, or trying to pull a joke on me.
Thank you for the responses everyone. You can now get back to your regularly scheduled regulatory headaches.
__________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
-----Original Message----- From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com] Sent: Thursday, January 05, 2012 9:57 AM To: 'nanog@nanog.org' Subject: question regarding US requirements for journaling public email (possible legislation?)
Hope yall had an 'eventless' holiday. (I.e. no pages at 2 am on a holiday morning). Sorry to drop what is possibly just someone misunderstanding something or pulling my leg on the list, but over the holidays I ran into one of my buddies that is also a network admin type and he was griping about mail journalling, which I already do for our corporate email accounts. However, his discussion was in terms of all customer email... Which I said was probably a bad thing to do. His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers.
I've seen nothing, and my google fu has turned up nothing other than corporate requirements, so I ask here. Has anyone heard of such a bill working it's way through either side of congress?
(I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.)
I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement.
Thanks for your attention and may you have a low incident new year. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger@fpu-tn.com> wrote:
His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers.
Hi Eric, The only relatively recent thing I'm aware of in the Congress is the Protecting Children From Internet Pornographers Act of 2011. http://thomas.loc.gov/cgi-bin/bdquery/z?d112:h.r.01981: What it actually says is: `(1) A commercial provider of an electronic communication service shall retain for a period of at least one year a log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.' That may mean journaling individual TCP connections in a NAT environment but it doesn't address content, email or otherwise. I'd say your friend was confused. The really odd thing is that the act also says: `(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity.' What does that mean for the MPAA seeking the identity of a bit torrent user? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Thu, 05 Jan 2012 13:42:50 EST, William Herrin said:
The really odd thing is that the act also says:
`(2) Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity.'
What does that mean for the MPAA seeking the identity of a bit torrent user?
Means they need to get a subpoena (at which point it's the court, a governmental entity, doing the compelling).
On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger@fpu-tn.com> wrote:
His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers.
Hi Eric,
The only relatively recent thing I'm aware of in the Congress is the Protecting Children From Internet Pornographers Act of 2011.
Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.
From: Fred Baker <fred@cisco.com> Date: January 5, 2012 10:46:30 AM PST To: Eric J Esslinger <eesslinger@fpu-tn.com> Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend.
http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981 http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide...
I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant.
I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. From a US perspective, you might peruse http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in.
On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:
On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger@fpu-tn.com> wrote:
His response was there is legislation being pushed in both House and Senate that would require journalling for 2 or 5 years, all mail passing through all of your mail servers.
Hi Eric,
The only relatively recent thing I'm aware of in the Congress is the Protecting Children From Internet Pornographers Act of 2011.
Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.
From: Fred Baker <fred@cisco.com> Date: January 5, 2012 10:46:30 AM PST To: Eric J Esslinger <eesslinger@fpu-tn.com> Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend.
http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981 http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide...
I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant.
I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months.
From a US perspective, you might peruse
http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States
The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in.
Yah, but that's all "non-content records"; it's a far cry from having to retain the body of every email, which is what he asked about. As far as I know -- and I'm on enough tech policy lists that I probably would know -- nothing like that is being proposed. That said, for a few industries -- finance comes to mind -- companies are required to do things like that by the SEC, but not ISPs per se. See http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.h... for some details. --Steve Bellovin, https://www.cs.columbia.edu/~smb
On Thu, Jan 5, 2012 at 7:56 AM, Eric J Esslinger <eesslinger@fpu-tn.com>wrote:
(I am speaking specifically of full email journaling, not just logs, which I do archive for significant amounts of time.)
I also don't want to discuss the pros, cons, merits, costs, goods, or evils of such a requirement, just wanted to know if this is something I should be looking forward towards maybe needing to implement.
This is probably not what you want to hear, but you should really read through EFF's "Best Practices for Online Service Providers." https://www.eff.org/wp/osp Specifically: OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks. If a court order requests data that is more than a few weeks old, the OSP can simply point to the policy and explain that it cannot furnish the requested data. Likewise, if unnecessary PII is regularly deleted, the OSP cannot supply what it does not retain. This saves the OSP time and money, while also providing the OSP with sufficient data for its own administrative and business purposes.
I would love to ask the EFF just what you do when you don't log stuff, and then need to troubleshoot someone causing a DDoS or something from your network in a hurry. Not that I'd get any sort of a useful answer from them, beyond random propaganda that spam filtering is evil, DPI is demoniacal etc etc. On Fri, Jan 6, 2012 at 3:54 AM, John Adams <jna@retina.net> wrote:
OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks. If a court order requests data that is more than a few weeks old, the OSP can simply point to the policy and explain that it cannot furnish the requested data. Likewise, if unnecessary PII is regularly deleted, the OSP cannot supply what it does not retain. This saves the OSP time and money, while also providing the OSP with sufficient data for its own administrative and business purposes.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Fri, 06 Jan 2012 09:11:30 +0530, Suresh Ramasubramanian said:
I would love to ask the EFF just what you do when you don't log stuff, and then need to troubleshoot someone causing a DDoS or something from your network in a hurry.
What John actually said:
OSPs cannot be forced to provide data that does not exist. EFF suggests that OSPs draft an internal policy that states that they collect only limited information and do not retain any logs of user activity on their networks for more than a few weeks.
You need to track down a miscreant user *right now*? You got the last 48 hours of logs right at hand. It's been a week? Meh, if somebody's been getting hit by a DDoS for a week and is just now calling you, the fact they have a DDoS is the least of their problems. Toss the logs. :)
Not that I'd get any sort of a useful answer from them, beyond random propaganda that spam filtering is evil, DPI is demoniacal etc etc.
Might want to go and actually read https://www.eff.org/wp/osp before you say that. The PDF version runs to about 15 pages of detailed and useful info for an OSP.;
There's no shortage of stuff that reaches you 80..90 days after the fact The UK voluntary retention rules make a lot more sense, compared to "a few days", which is entirely impractical On Fri, Jan 6, 2012 at 9:30 AM, <Valdis.Kletnieks@vt.edu> wrote:
You need to track down a miscreant user *right now*? You got the last 48 hours of logs right at hand. It's been a week? Meh, if somebody's been getting hit by a DDoS for a week and is just now calling you, the fact they have a DDoS is the least of their problems. Toss the logs. :)
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Jan 5, 2012, at 11:05 37PM, Suresh Ramasubramanian wrote:
There's no shortage of stuff that reaches you 80..90 days after the fact
The UK voluntary retention rules make a lot more sense, compared to "a few days", which is entirely impractical
On Fri, Jan 6, 2012 at 9:30 AM, <Valdis.Kletnieks@vt.edu> wrote:
You need to track down a miscreant user *right now*? You got the last 48 hours of logs right at hand. It's been a week? Meh, if somebody's been getting hit by a DDoS for a week and is just now calling you, the fact they have a DDoS is the least of their problems. Toss the logs. :)
The answer from the EFF is the same: retain what *you* have an operational or administrative need for. This is very different from a legislative mandate for multiyear retention. --Steve Bellovin, https://www.cs.columbia.edu/~smb
participants (8)
-
Eric J Esslinger -
Fred Baker -
John Adams -
Ray Soucy -
Steven Bellovin -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu -
William Herrin